1. Field
Embodiments of the invention relate to the field of computer networking; and more specifically, to a layer II bridging switch for subscriber aggregation.
2. Background
A layer II (data link layer in the Open Systems Interconnection (“OSI”) model) switch for subscriber aggregation, as known in the prior art, is a device used to connect multiple subscribers from one network to other network(s). The switch scans incoming data packets for the packet source and destination Media Access Control (“MAC”) addresses. The switch dynamically builds a forwarding table based upon the source MAC addresses of the data packets it encounters and the ports associated with those MAC addresses. If the destination MAC address of the data packet is in the forwarding table, the packet is forwarded to the port or circuit associated with the destination MAC address. If the destination MAC address of the data packet is not in the forwarding table, the packet is forwarded to all ports except the port corresponding to the source MAC address. If the destination MAC address is the same as the source MAC address the data packet is dropped. Typically, a switch has homogeneous inputs and outputs, while a bridge is a switch that has heterogeneous inputs and outputs. A bridging switch refers to a switch that may have homogeneous or heterogeneous inputs/outputs.
FIG. 1 illustrates one embodiment of a subscriber management platform aggregating subscriber traffic with a bridge. In FIG. 1, during normal operation subscribers 102A-N connect to Internet 120 via subscriber management platform 106 and server 116. Server 116 is used by an Internet Service Provider (“ISP”) to control subscriber's 102A-N access to Internet 120. By way of example and not limitation, server 116 controls subscriber's 102A-N Internet access by establishing point-to-point protocol over Ethernet (PPPoE) subscriber sessions between subscribers 102A-N and server 116. Server 116 facilitates a connection to Internet 120 for subscribers 102A-N.
In addition, subscriber management platform 106 further manages subscribers 102A-N by controlling the flow of traffic between subscribers 102A-N and server 116. Subscriber management platform 106 includes context 108 with bridge 110 for managing subscribers 102A-N traffic flow. A context is an instance of a virtual router existing within the memory of subscriber management platform 106. Although not shown, subscriber management platform 106 may include multiple contexts 108, with each context 108 used for a particular ISP or ISP access point (not shown).
Circuits 104A-N are associated with subscribers 102A-N respectively. Circuit 114A is associated with server 116. A circuit may be a variety of connections (e.g., a PPPoE session, ATM PVC VPI/VCI, VLAN, etc.). Data packets sent from subscribers 102A-N through circuits 104A-N respectively are received by bridge interface 112A coupled to bridge 110. Data packets may be forwarded from bridge 110 via bridge interface 112B to server 116 through circuit 114A. Alternatively, packets may be forwarded from bridge 110 via bridge interface 112B to backup server 118 through circuit 114A. While packets may be forwarded from subscribers 102A-N to Internet 120, packets may also be forwarded between subscribers (e.g., subscriber 102A can send packets to subscriber 102B, etc.).
FIG. 2 is a block diagram illustrating a layer II bridge and the various types of packets that are forwarded by the layer II bridge. Circuit 204A couples subscriber 202A to bridge 204. Circuit 404B couples subscriber 202B to bridge 204. Circuit 214A couples server 206 to bridge 204. Various types of packets may be forwarded by bridge 204 from subscriber 202A. Internet 208 is coupled to server 206.
It can be seen from FIG. 2 that a prior art embodiment of a layer II bridge may allow certain security problems. For example, a prior art embodiment of a layer II bridge may allow a malicious subscriber to send unwanted packets to another subscriber. This may result in a denial of service for the receiving subscriber. For example, if subscriber 202A sends large amounts of packets to subscriber 202B, subscriber 202B's network resources (such as bandwidth) may be consumed by the packets from subscriber 202A. This may effectively prevent subscriber 202B from being able to access Internet 208. An example of this is the dashed line of packet (SRC=A1, DEST=A2) which is sent from circuit 204A to circuit 204B.
Furthermore, a malicious subscriber can “spoof” the source MAC address of another subscriber. For example, if subscriber 202A modified the source MAC address of a packet from itself to match the MAC address of subscriber 202B (address A2), bridge 204 and server 206 will consider the packet to have originated from subscriber 202B. For example, packet (SRC=A2, DEST=!) sent from subscriber 202A will spoof the address of subscriber 202B. If subscriber 202B subscribes to a service that charges by the byte or by the amount of connection time, subscriber 202A would be effectively charging the account of subscriber 202B by spoofing the address of subscriber 202B. Furthermore, spoofing another subscriber's MAC address can hide other malicious actions such as sending viruses, launching denial of service attacks, deny services for the spoofed MAC address, etc.
In addition to spoofing a subscriber's MAC address, a malicious subscriber can also spoof the MAC address of a server. For example, if subscriber 202A modified the source MAC address of a packet from itself to match the MAC address of server 206 (address A3), bridge 204 will consider the packet to have originated from server 206. For instance, packet (SRC=A3, DEST=!) sent from subscriber 202A will spoof the address of server 206. Bridge 204 will believe that server 206 has changed the circuit it uses, and will update the bridge table to reflect this. Thus, traffic intended for server 206 may be forwarded to subscriber 202A.